Date: Wed, 9 Jun 1999 00:44:37 -0700 From: John-Mark Gurney <gurney_j@efn.org> To: hqy2446 <hqy2446@is2.nyu.edu> Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: newbie question: ssh Message-ID: <19990609004437.15372@hydrogen.nike.efn.org> In-Reply-To: <Pine.OSF.3.95.990609025840.29957A-100000@is2.nyu.edu>; from hqy2446 on Wed, Jun 09, 1999 at 03:12:25AM -0400 References: <3.0.6.32.19990609015904.007faa30@is2.nyu.edu> <Pine.OSF.3.95.990609025840.29957A-100000@is2.nyu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
hqy2446 scribbled this message on Jun 9: > On Wed, 9 Jun 1999, Eivind Eklund wrote: > > > Date: Wed, 09 Jun 1999 01:59:04 -0400 > > From: Eivind Eklund <eivind@FreeBSD.ORG> > > To: hqy2446@nyu.edu > > Subject: Re: newbie question: ssh > > > > On Tue, Jun 08, 1999 at 03:07:49AM -0400, hqy2446 wrote: > > > I have a newbie question regarding X connection forward by ssh. > > > > > > After I installed ssh-1.2.27 and ssh-2.0.13, I was unable to use 'X > > > connection forwarding' at certain servers. Now I tried this command: > > > > > > $ ssh -l [username] [remote host] xterm -display [my ip address]:0.0 > > > > > > xterm of the remote host was opened and I could run X clients on the host. > > > > > > I want to make sure that this connection is secured or not by experts or > > > experienced users of ssh. > > > > Not secured. > > > > > And one more question: What is the difference between above way of > > > connection and just a connection to a remote host by ssh(just like a > > > telnet) and run X clinets at the remote host shell? > > > > ssh will normally set up an emulated display at localhost:10.0 (or > > 11.0, 12.0, etc - depends on how many other ssh users you have.) This > > is securely forwarded, and is what you'll normally use. Your setup > > makes the program use an insecure connection over the normal net > > instead. > > Thanks for your reply. Now I have a question. How can I make a secure > connection to a remote host using by ssh? My FreeBSD box is stand-alone, > I am the only user. I re-complie ssh-1.2.27 and ssh-2.0.13 with X > connection forward option (it was default option, though). I still can't > make X connection forward to a certain remote host, not all of them. > > What I did is > > $ xhost +[remote host] NEVER EVER do this!!! this is BAD, anyone on [remote host] can now connect to your server and intercept ANY keystrokes that you may time, this includes any passwords you may type... instead you want to run xauth on the local machine, extract the info for the tcp/ip transport one, and add it to the remote machine's xauth database, then you can export your display info properly... example: hydrogen,ttypb,~,501$xauth Using authority file /a/home/johng/.Xauthority xauth> list lead.fircrest.net:0 MIT-MAGIC-COOKIE-1 12402031784e167c4c261c1d50781e07 xauth> quit the lead.fircrest.net line is because I used xdm to query and login remotely... now I would run xauth on the remote machine and issue the command: add lead.fircrest.net:0 MIT-MAGIC-COOKIE-1 12402031784e167c4c261c1d50781e07 and then: export DISPLAY=lead.fircrest.net:0 then I can run my applications, but the X connection is still not encrypted, just protected from other non-root users from being able to listen in... as for why ssh isn't doing all the forwarding work for you, that's another puzzle, you need to make sure you build ssh when the X libs are installed on the machine, I built ssh once, then installed the X libs, of course X forwarding didn't work till we rebuilt ssh... -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990609004437.15372>